mirror of https://github.com/portainer/portainer
fix(api): introduce priority based logic for RBAC roles (#3374)
* fix(api): introduce priority based logic for RBAC roles * refactor(api): rename methodpull/3386/head
Anthony Lapenna
GitHub
parent
9decbce511
commit
81c0bf0632
|
|
@ -771,37 +771,25 @@ func getAuthorizationsFromTeamEndpointGroupPolicies(memberships []TeamMembership
|
||||||
}
|
}
|
||||||
|
|
||||||
func getAuthorizationsFromRoles(roleIdentifiers []RoleID, roles []Role) Authorizations {
|
func getAuthorizationsFromRoles(roleIdentifiers []RoleID, roles []Role) Authorizations {
|
||||||
var roleAuthorizations []Authorizations
|
var associatedRoles []Role
|
||||||
|
|
||||||
for _, id := range roleIdentifiers {
|
for _, id := range roleIdentifiers {
|
||||||
for _, role := range roles {
|
for _, role := range roles {
|
||||||
if role.ID == id {
|
if role.ID == id {
|
||||||
roleAuthorizations = append(roleAuthorizations, role.Authorizations)
|
associatedRoles = append(associatedRoles, role)
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
processedAuthorizations := make(Authorizations)
|
var authorizations Authorizations
|
||||||
if len(roleAuthorizations) > 0 {
|
highestPriority := 0
|
||||||
processedAuthorizations = roleAuthorizations[0]
|
for _, role := range associatedRoles {
|
||||||
for idx, authorizations := range roleAuthorizations {
|
if role.Priority > highestPriority {
|
||||||
if idx == 0 {
|
highestPriority = role.Priority
|
||||||
continue
|
authorizations = role.Authorizations
|
||||||
}
|
|
||||||
processedAuthorizations = mergeAuthorizations(processedAuthorizations, authorizations)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return processedAuthorizations
|
return authorizations
|
||||||
}
|
|
||||||
|
|
||||||
func mergeAuthorizations(a, b Authorizations) Authorizations {
|
|
||||||
c := make(map[Authorization]bool)
|
|
||||||
|
|
||||||
for k := range b {
|
|
||||||
if _, ok := a[k]; ok {
|
|
||||||
c[k] = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return c
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,7 @@ func (store *Store) Init() error {
|
||||||
environmentAdministratorRole := &portainer.Role{
|
environmentAdministratorRole := &portainer.Role{
|
||||||
Name: "Endpoint administrator",
|
Name: "Endpoint administrator",
|
||||||
Description: "Full control of all resources in an endpoint",
|
Description: "Full control of all resources in an endpoint",
|
||||||
|
Priority: 1,
|
||||||
Authorizations: portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole(),
|
Authorizations: portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole(),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -45,6 +46,7 @@ func (store *Store) Init() error {
|
||||||
environmentReadOnlyUserRole := &portainer.Role{
|
environmentReadOnlyUserRole := &portainer.Role{
|
||||||
Name: "Helpdesk",
|
Name: "Helpdesk",
|
||||||
Description: "Read-only access of all resources in an endpoint",
|
Description: "Read-only access of all resources in an endpoint",
|
||||||
|
Priority: 2,
|
||||||
Authorizations: portainer.DefaultEndpointAuthorizationsForHelpDeskRole(false),
|
Authorizations: portainer.DefaultEndpointAuthorizationsForHelpDeskRole(false),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -56,6 +58,7 @@ func (store *Store) Init() error {
|
||||||
standardUserRole := &portainer.Role{
|
standardUserRole := &portainer.Role{
|
||||||
Name: "Standard user",
|
Name: "Standard user",
|
||||||
Description: "Full control of assigned resources in an endpoint",
|
Description: "Full control of assigned resources in an endpoint",
|
||||||
|
Priority: 3,
|
||||||
Authorizations: portainer.DefaultEndpointAuthorizationsForStandardUserRole(false),
|
Authorizations: portainer.DefaultEndpointAuthorizationsForStandardUserRole(false),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -67,6 +70,7 @@ func (store *Store) Init() error {
|
||||||
readOnlyUserRole := &portainer.Role{
|
readOnlyUserRole := &portainer.Role{
|
||||||
Name: "Read-only user",
|
Name: "Read-only user",
|
||||||
Description: "Read-only access of assigned resources in an endpoint",
|
Description: "Read-only access of assigned resources in an endpoint",
|
||||||
|
Priority: 4,
|
||||||
Authorizations: portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(false),
|
Authorizations: portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(false),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -43,6 +43,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
endpointAdministratorRole.Priority = 1
|
||||||
endpointAdministratorRole.Authorizations = portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole()
|
endpointAdministratorRole.Authorizations = portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole()
|
||||||
|
|
||||||
err = m.roleService.UpdateRole(endpointAdministratorRole.ID, endpointAdministratorRole)
|
err = m.roleService.UpdateRole(endpointAdministratorRole.ID, endpointAdministratorRole)
|
||||||
|
|
@ -51,6 +52,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
helpDeskRole.Priority = 2
|
||||||
helpDeskRole.Authorizations = portainer.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)
|
helpDeskRole.Authorizations = portainer.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)
|
||||||
|
|
||||||
err = m.roleService.UpdateRole(helpDeskRole.ID, helpDeskRole)
|
err = m.roleService.UpdateRole(helpDeskRole.ID, helpDeskRole)
|
||||||
|
|
@ -59,6 +61,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
standardUserRole.Priority = 3
|
||||||
standardUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)
|
standardUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)
|
||||||
|
|
||||||
err = m.roleService.UpdateRole(standardUserRole.ID, standardUserRole)
|
err = m.roleService.UpdateRole(standardUserRole.ID, standardUserRole)
|
||||||
|
|
@ -67,6 +70,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
readOnlyUserRole.Priority = 4
|
||||||
readOnlyUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)
|
readOnlyUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)
|
||||||
|
|
||||||
err = m.roleService.UpdateRole(readOnlyUserRole.ID, readOnlyUserRole)
|
err = m.roleService.UpdateRole(readOnlyUserRole.ID, readOnlyUserRole)
|
||||||
|
|
|
||||||
|
|
@ -303,6 +303,7 @@ type (
|
||||||
Name string `json:"Name"`
|
Name string `json:"Name"`
|
||||||
Description string `json:"Description"`
|
Description string `json:"Description"`
|
||||||
Authorizations Authorizations `json:"Authorizations"`
|
Authorizations Authorizations `json:"Authorizations"`
|
||||||
|
Priority int `json:"Priority"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// AccessPolicy represent a policy that can be associated to a user or team
|
// AccessPolicy represent a policy that can be associated to a user or team
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue